Posts Tagged ‘Authentication’
[DotJs2024] Our Future Without Passwords
Dawn a horizon where authentication dissolves into biometric whispers and cryptographic confidences, banishing the tyranny of forgotten passphrases. Maud Nalpas, a fervent advocate for web security at Google, charted this trajectory at dotJS 2024, escorting audiences through passkeys’ ascent—a paradigm supplanting passwords with phishing-proof, breach-resistant elegance. With a lens honed on Chrome’s privacy vanguard, Maud dissected the relic’s frailties, from 81% breach culpability to mnemonic mayhem, before unveiling passkeys as the seamless salve.
Maud’s reverie evoked 1999’s innocence: Solitaire sessions interrupted by innocuous files, now echoed in 2024’s tax-season tedium—yet passwords persist, unyielding. Their design flaws—reusability, server-side secrets—fuel epidemics, mitigated marginally by managers yet unsolved at root. Enter passkeys: cryptographic duos, private halves cradled in device enclaves, publics enshrined server-side. Creation’s choreography: a GitHub prompt summons Google’s credential vault, fingerprint affirms, yielding a named token. Login? A tap unlocks biometrics, end-to-end encryption syncing across ecosystems—iCloud, 1Password—sans exposure.
This ballet boasts trifecta virtues. Usability gleams: no rote recall, mere device nudge. Economics entice: dual-role as MFA slashes SMS tolls. Security soars: no server secrets—biometrics localize, publics inert—phishing foiled by domain-binding; faux sites summon voids. Adoption surges—Amazon, PayPal vanguard—spanning web and native, browsers from Chrome to Safari, platforms Android to macOS. Caveats linger: Linux/Firefox lags, cross-ecosystem QR fallbacks bridge. Maud heralded 2024’s synchrony strides, Google’s Password Manager poised for ubiquity.
Implementation beckons via passkeys.directory: libraries like @simplewebauthn streamline, UX paramount—progressive prompts easing novices. Maud’s missive: trial as user, embed as architect; this future, phishing-free and frictionless, awaits invocation.
Passkeys’ Cryptographic Core
Maud illuminated the duo: private keys, hardware-harbored, sign challenges; publics verify, metadata minimal. Sync veils in E2EE—Google’s vault, Apple’s chain—device recovery via QR or recreation. Phishing’s nemesis: origin-tied, spoofed realms elicit absences, thwarting lures.
Adoption Accelerants and Horizons
Cross-platform chorus—Windows Edge, iOS Safari—minus Linux/Firefox snags, soon salved. Costs dwindle via MFA fusion; UX evolves prompts contextually. Maud’s clarion: libraries scaffold, inspiration abounds—forge passwordless realms resilient and radiant.
Links:
[DefCon32] DEF CON 32: NTLM The Last Ride
Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.
Revisiting NTLM’s Persistent Flaws
Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.
Novel Exploitation Techniques
The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.
Insecure Defaults and Systemic Gaps
Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.
Community Collaboration and Future Steps
Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.